create-nuxt-base 2.2.8 → 2.3.1

package/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [2.3.1](https://github.com/lenneTech/nuxt-base-starter/compare/v2.3.0...v2.3.1) (2026-03-15)
+
+## [2.3.0](https://github.com/lenneTech/nuxt-base-starter/compare/v2.2.8...v2.3.0) (2026-03-09)
+
 ### [2.2.8](https://github.com/lenneTech/nuxt-base-starter/compare/v2.2.7...v2.2.8) (2026-03-08)
 
 ### [2.2.5](https://github.com/lenneTech/nuxt-base-starter/compare/v2.2.4...v2.2.5) (2026-02-10)

package/nuxt-base-template/.claude/agent-memory/lt-dev-npm-package-maintainer/MEMORY.md

@@ -0,0 +1,59 @@
+# NPM Package Maintainer Memory - nuxt-base-template
+
+## Project Basics
+
+- Package manager: pnpm (pnpm-lock.yaml present)
+- Type: Private Nuxt 4 template (not a library)
+- Test command: `pnpm run test:unit` (vitest, 43 tests in 2 files)
+- Build command: `pnpm run build` (nuxt build)
+
+## Key Dependency Patterns
+
+- `better-auth`, `@better-auth/passkey`, `tus-js-client` are peer dependencies of `@lenne.tech/nuxt-extensions` - keep in `dependencies`
+- `@nuxt/ui` and `@vueuse/nuxt` belong in `dependencies` (used in app/ source files with type imports)
+- pnpm sometimes auto-moves packages to devDependencies during `-D` updates - watch and fix
+
+## Security Overrides
+
+- Overrides are in `pnpm.overrides` (inside the `pnpm` key), NOT a top-level `overrides` key
+- `pnpm audit --fix` outputs proposed overrides as JSON (does not apply automatically)
+- `pnpm install` must be run after adding/updating overrides to re-resolve lockfile
+- `nanotar` vulnerability from nuxt has NO patched version (`<0.0.0`) - cannot be fixed
+
+## Deprecated Package Notes
+
+- `@hey-api/client-fetch`: deprecated ("bundled in @hey-api/openapi-ts since v0.73.0") but still a valid runtime HTTP client for generated API SDKs - KEEP in dependencies
+- `openapi-ts.config.ts` uses deprecated `lint`/`format` options; use `postProcess: ['eslint', 'prettier']` instead
+- `@nuxtjs/color-mode`: do NOT add to devDeps - @nuxt/ui brings its own 3.x internally; 4.0.0 would conflict
+
+## Override Cleanup Notes (2026-03-09)
+
+Removed as no longer needed:
+
+- `devalue@<=5.6.2` - nuxt requires ^5.6.2, latest is 5.6.3 (always picked)
+- `fast-xml-parser@>=5.0.0 <5.3.8` - @nuxtjs/sitemap requires ^5.3.3, latest is 5.4.2 (always safe)
+- `markdown-it@>=13.0.0 <14.1.1` - prosemirror-markdown requires ^14.0.0, latest is 14.1.1 (always picked)
+- `minimatch@>=5.0.0 <5.1.8` - readdir-glob installs minimatch 5.1.9 which is already >=5.1.8 (safe)
+
+Still required (keep these overrides):
+
+- `@hono/node-server@<1.19.10` - @prisma/dev requires 1.19.9 exactly
+- `hono@<4.12.4` - @prisma/dev requires 4.11.4 exactly
+- `lodash@>=4.0.0 <=4.17.22` - @chevrotain/gast requires 4.17.21 exactly (vulnerable)
+- `minimatch@>=9.0.0 <9.0.7` - editorconfig 1.0.4 requires 9.0.1 exactly (in vulnerable range)
+- `rollup@>=4.0.0 <4.59.0` - vite requires ^4.43.0 which could pick <4.59.0
+- `serialize-javascript@<=7.0.2` - @rollup/plugin-terser requires ^6.0.1 (6.x is vulnerable)
+- `svgo@=4.0.0` - postcss-svgo requires ^4.0.0 which could pick 4.0.0 (vulnerable)
+- `tar@<=7.5.9` - @mapbox/node-pre-gyp requires ^7.4.0 (7.4.x is vulnerable)
+
+## Version History (2026-03-09)
+
+After maintenance, all packages at latest:
+
+- `@lenne.tech/nuxt-extensions`: 1.3.0
+- `nuxt`: 4.3.1
+- `vitest`: 4.0.18 (major from 3.x)
+- `@nuxt/test-utils`: 4.0.0 (major from 3.x, requires vitest ^4.0.2)
+- `vitest` v4 + `@nuxt/test-utils` v4 must be updated together (compatibility requirement)
+- Residual vulnerabilities: 1 moderate (nanotar, unfixable)
+- Removed: `@nuxtjs/color-mode` from devDeps (unused, conflicts with @nuxt/ui's internal 3.5.2)

package/nuxt-base-template/.env.example

@@ -1,10 +1,32 @@
 NUXT_PUBLIC_SITE_URL=http://localhost:3001
-NUXT_PUBLIC_APP_ENV=development
+NUXT_PUBLIC_APP_ENV=local
 NODE_ENV=development
 NUXT_API_URL=http://localhost:3000
 NUXT_PUBLIC_API_URL=http://localhost:3000
 NUXT_PUBLIC_WEB_PUSH_KEY=
-NUXT_PUBLIC_STORAGE_PREFIX=base-dev
+# Local storage namespace prefix (prevents key collisions between projects on localhost)
+NUXT_PUBLIC_STORAGE_PREFIX=my-project-local
+
+# ---------------------------------------------------------------------------
+# Local Development API Proxy
+# ---------------------------------------------------------------------------
+# Enables the Vite dev proxy to forward /api/* requests to the backend
+# (localhost:3000). The proxy strips the /api/ prefix before forwarding,
+# so the backend receives the original path (e.g., /iam/sign-in).
+#
+# WHY: In local development, frontend (localhost:3001) and backend
+# (localhost:3000) are on different ports. Browsers enforce same-origin
+# policy for cookies, which breaks session-based authentication.
+# The proxy makes all requests appear same-origin.
+#
+# IMPORTANT: Set to 'true' ONLY for local development with `nuxt dev`.
+# NEVER enable on deployed stages (develop, test, preview, production)
+# — deployed stages call the backend directly via NUXT_PUBLIC_API_URL.
+#
+# Nuxt auto-maps this to runtimeConfig.public.apiProxy
+NUXT_PUBLIC_API_PROXY=true
+
+NUXT_PLAUSIBLE_API_URL=
 
 NUXT_LINEAR_API_KEY=
 NUXT_LINEAR_TEAM_NAME=

package/nuxt-base-template/nuxt.config.ts

@@ -15,7 +15,7 @@ export default defineNuxtConfig({
   // ============================================================================
   // Bug Reporting (Linear Integration via @lenne.tech/bug.lt)
   // ============================================================================
-  // @ts-expect-error bug.lt module config - module temporarily disabled
+  // @ts-ignore bug.lt module has no type declarations
   bug: {
     enabled: process.env.NUXT_PUBLIC_APP_ENV !== 'production',
     linearApiKey: process.env.NUXT_LINEAR_API_KEY,
@@ -49,7 +49,7 @@ export default defineNuxtConfig({
   // ============================================================================
   // Environment-specific Layers
   // ============================================================================
-  extends: process.env.NUXT_PUBLIC_APP_ENV === 'development' ? ['./docs'] : [],
+  extends: ['local', 'development'].includes(process.env.NUXT_PUBLIC_APP_ENV || '') ? ['./docs'] : [],
 
   // ============================================================================
   // Image Optimization
@@ -65,9 +65,10 @@ export default defineNuxtConfig({
   // Icon Configuration
   // ============================================================================
   icon: {
-    // Ensure dynamically rendered icons (e.g., inside v-for) are included in the bundle
+    // Icons used in v-for loops or dynamic rendering must be in the client bundle
+    // Dynamic icons can set via icons, e.g. icons: ['lucide:trash', 'lucide:key', 'lucide:copy', 'lucide:loader-circle'],
     clientBundle: {
-      icons: ['lucide:trash', 'lucide:key', 'lucide:copy', 'lucide:loader-circle'],
+      scan: true,
     },
   },
 
@@ -84,9 +85,9 @@ export default defineNuxtConfig({
   ltExtensions: {
     auth: {
       enabled: true,
-      // baseURL is used in production mode for cross-origin API requests
-      // In dev mode, Nuxt proxy is used (baseURL is ignored, requests go through /api/iam)
-      // In production, requests go directly to baseURL + basePath (e.g., https://api.example.com/iam)
+      // baseURL is used when NUXT_PUBLIC_API_PROXY is NOT enabled (deployed stages)
+      // With proxy: requests go through /api/iam (proxy strips /api/ and forwards to backend)
+      // Without proxy: requests go directly to baseURL + basePath (e.g., https://api.example.com/iam)
       baseURL: process.env.NUXT_API_URL || 'http://localhost:3000',
       basePath: '/iam',
       loginPath: '/auth/login',
@@ -115,7 +116,7 @@ export default defineNuxtConfig({
   modules: [
     '@lenne.tech/nuxt-extensions', // Auth, Upload, Transitions
     '@nuxt/test-utils/module', // E2E testing with Playwright
-    // '@lenne.tech/bug.lt', // Bug reporting to Linear - TEMPORARILY DISABLED FOR TESTING
+    '@lenne.tech/bug.lt', // Bug reporting to Linear
     '@vueuse/nuxt', // Vue composition utilities
     'dayjs-nuxt', // Date/time handling
     '@nuxt/image', // Image optimization
@@ -160,6 +161,12 @@ export default defineNuxtConfig({
       apiUrl: 'http://localhost:3000',
       // NUXT_PUBLIC_WEB_PUSH_KEY overrides this
       webPushKey: '',
+      // API Proxy: Routes client-side /api/* requests through the Vite dev proxy
+      // to the backend (localhost:3000). Required for same-origin cookies during
+      // local development. Set NUXT_PUBLIC_API_PROXY=true in .env ONLY for local dev.
+      // Nuxt auto-maps NUXT_PUBLIC_API_PROXY to this key.
+      // See: @lenne.tech/nuxt-extensions → isLocalDevApiProxy()
+      apiProxy: false,
     },
   },
 
@@ -200,22 +207,25 @@ export default defineNuxtConfig({
     optimizeDeps: {
       exclude: ['@tailwindcss/vite', 'lightningcss', '@vue/devtools-core', '@vue/devtools-kit', '@internationalized/date'],
     },
-    plugins: [tailwindcss()],
+    plugins: [tailwindcss() as any],
     server: {
       proxy: {
-        // IAM proxy via /api prefix (nuxt-extensions adds /api in dev mode)
-        // Must be before /api to match more specifically
-        '/api/iam': {
-          target: 'http://localhost:3000',
-          changeOrigin: true,
-          rewrite: (path) => path.replace(/^\/api/, ''),
-        },
-        // API proxy - no rewrite, backend expects /api/... paths
+        // API proxy for local development (NUXT_PUBLIC_API_PROXY=true)
+        //
+        // How it works:
+        // 1. Client-side requests go to /api/... (e.g., /api/iam/sign-in, /api/i18n/errors/de)
+        // 2. This proxy strips the /api prefix and forwards to the backend
+        // 3. Backend receives the original path (e.g., /iam/sign-in, /i18n/errors/de)
+        //
+        // Why: Frontend (localhost:3001) and backend (localhost:3000) run on different
+        // ports. The proxy makes requests same-origin so cookies work correctly.
         '/api': {
           target: 'http://localhost:3000',
           changeOrigin: true,
+          rewrite: (path) => path.replace(/^\/api/, ''),
         },
-        // IAM proxy for direct BetterAuth endpoints (SSR mode)
+        // Direct IAM proxy for BetterAuth endpoints (SSR Nitro server handler
+        // and direct browser redirects, e.g., OAuth callbacks)
         '/iam': {
           target: 'http://localhost:3000',
           changeOrigin: true,

package/nuxt-base-template/package.json

@@ -51,7 +51,7 @@
     "@better-auth/passkey": "1.5.4",
     "@hey-api/client-fetch": "0.13.1",
     "@lenne.tech/bug.lt": "latest",
-    "@lenne.tech/nuxt-extensions": "1.2.12",
+    "@lenne.tech/nuxt-extensions": "1.3.0",
     "@nuxt/image": "2.0.0",
     "@nuxt/ui": "4.5.1",
     "@pinia/nuxt": "0.11.3",
@@ -64,15 +64,14 @@
   "devDependencies": {
     "@hey-api/openapi-ts": "0.94.0",
     "@iconify-json/lucide": "1.2.96",
-    "@nuxt/devtools": "3.2.2",
+    "@nuxt/devtools": "3.2.3",
     "@nuxt/test-utils": "4.0.0",
-    "@nuxtjs/color-mode": "4.0.0",
     "@nuxtjs/plausible": "3.0.2",
     "@nuxtjs/seo": "3.4.0",
     "@playwright/test": "1.58.2",
     "@tailwindcss/typography": "0.5.19",
     "@tailwindcss/vite": "4.2.1",
-    "@types/node": "25.3.5",
+    "@types/node": "25.4.0",
     "@types/qrcode": "1.5.6",
     "@vitejs/plugin-vue": "6.0.4",
     "@vue/test-utils": "2.4.6",
@@ -117,12 +116,8 @@
     ],
     "overrides": {
       "@hono/node-server@<1.19.10": ">=1.19.10",
-      "devalue@<=5.6.2": ">=5.6.3",
-      "fast-xml-parser@>=5.0.0 <5.3.8": ">=5.3.8",
       "hono@<4.12.4": ">=4.12.4",
       "lodash@>=4.0.0 <=4.17.22": ">=4.17.23",
-      "markdown-it@>=13.0.0 <14.1.1": ">=14.1.1",
-      "minimatch@>=5.0.0 <5.1.8": ">=5.1.8",
       "minimatch@>=9.0.0 <9.0.7": ">=9.0.7",
       "rollup@>=4.0.0 <4.59.0": ">=4.59.0",
       "serialize-javascript@<=7.0.2": ">=7.0.3",